California consumers have only a narrow private right of action under the recently enacted California Consumer Privacy Act (CCPA) to bring suit if a data breach results in the loss or theft of their personal information. To date, two lawsuits have been filed asserting direct claims under the CCPA's private right of action, in both cases complaining about data breaches that occurred in 2019, prior to the law's going into effect. The plaintiff in Barnes v. Hanna Andersson, No. 4:20-cv-00812-DMR (N.D. Cal.), initially asserted only negligence and §17200 claims, but then amended to add a CCPA claim in a case arising out of a data breach that clothing retailer Hanna Andersson announced in early 2020, but that occurred in late 2019. A few weeks later, the plaintiff in Fuentes v. Sunshine Behavioral Health Group, No. 8:20-cv-00487 (C.D. Cal.), similarly included a direct claim under the CCPA alongside other contractual, common law, and statutory causes of action concerning a breach involving rehab facilities that occurred in the fall of 2019 but was only disclosed publicly in January 2020. Putting aside the issue of their reliance on breaches that occurred prior to the CCPA's effective date, the Barnes and Fuentes complaints allege the kind of post-data breach claims directly under the CCPA's private right of action that have long been expected.

More interesting than these direct claims, however, are the attempts by litigants in recent filings to employ the CCPA indirectly (in particular via California's Unfair Competition Law), where a direct CCPA claim is unavailable, asserting that the CCPA's substantive provisions support claims that the private right of action does not cover. The CCPA does not provide any private right of action for a CCPA violation outside the data breach context, nor does it provide a private right of action as to every data breach, but that has not stopped plaintiffs from relying upon the CCPA's substantive provisions in lawsuits not predicated on the CCPA's limited private right of action. These efforts have the potential to increase the litigation costs and possible legal exposure for businesses collecting personal information from Californians, even if the plaintiffs may face hurdles in ultimately prevailing. So what is a business to do? This article looks in depth at this recent effort by private plaintiffs to rely on the CCPA to support claims not falling within the CCPA's private right of action and provides practical tips businesses can use now to help minimize the risks presented by such claims in future litigation.

Limitations of the CCPA Private Right of Action

The CCPA's much talked about private right of action permits individuals to bring suit only if certain unencrypted and unredacted personal information, as defined in California Civil Code §1798.81.5(d)(1)(A), is subject to actual "unauthorized access and exfiltration, theft, or disclosure as a result of [a] business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information" provided that they give 30 days' notice to the business to permit a cure prior to filing. Cal. Civ. Code §§1798.150(a)(1), (b). Beyond that, however, all enforcement of the CCPA is left to the attorney general. See Cal. Civ. Code §1798.155(b). The individual private right of action thus will not apply in the context of many data breaches that are publicly disclosed and will not apply outside the breach context at all. The CCPA's private right of action is accordingly quite limited by its own express terms.

The CCPA also contains language providing that nothing in the CCPA should "be interpreted to serve as the basis for a private right of action under any other law." Cal. Civ. Code §1798.150(c). No court has yet ruled on the scope and effect of this language on any action brought under another law. However, plaintiffs are already showing a willingness to try their luck with pulling the CCPA into non-CCPA-based claims, the theory being that in those claims the CCPA is serving not as "the basis for a private right of action under" the other law being invoked, but rather to define the contours of the defendant's duty under that other law.

CCPA Violations as Unlawful Activity Under §17200

In a complaint filed in late February, the plaintiffs in Burke v. Clearview AI, No. 3:20-cv-00370-BAS-MSB (S.D. Cal.), sued the creators of facial recognition software that creates individuals' "faceprints" by scraping online photograph sources and using them to build profiles. The plaintiffs assert, among other things, a claim under California's Unfair Competition Law, Bus. & Prof. Code §17200 et seq. ("§17200), based on the defendant's alleged violation of the CCPA's requirement that a business obtain consent before collecting personal information about consumers. The Burke plaintiffs assert that, by reason of having violated the CCPA, the defendant's conduct was not only a "deceptive and unfair business practice," but also an "unlawful act or practice," for purposes of §17200.

A complaint involving a data breach occurring in 2020 was filed on March 12, 2020 in Almeida v. Slickwraps Inc., No. 20-cv-00559-TLN-CKD (E.D. Cal.) and does not include a direct claim under the CCPA. Instead, the CCPA appears in the complaint as one of a list of bases for a §17200 claim. Notably, among its litany of alleged cybersecurity shortcomings, the §17200 cause of action includes an accusation that Slickwraps failed to maintain a privacy policy and inform its customers of its data usage—like in Burke, asserting a CCPA violation for which the statute itself provides no direct right of action. In a similar case filed slightly earlier, Hernandez v. PIH Health, No. 2:20-cv-1662 (C.D. Cal.), an alleged CCPA violation appears in another laundry list of alleged statutory violations pled in support of a §17200 claim relating to a data breach alleged to have affected a regional healthcare network in mid-2019.

Plaintiffs bringing security- and privacy-related claims under §17200 will still face substantial challenges even where they are able to allege that the defendant violated the CCPA.[1] But by being able to allege such a violation, a plaintiff can potentially hinge a §17200 claim on the statute's "unlawful act or practice" prong and have the claim survive even where the plaintiff is unable to meet the requirements for pleading a violation of the "fraudulent" prong and/or the "unfairness" prong of §17200. Moreover, the ability to allege a statutory violation could potentially help a plaintiff plead "unfairness" under §17200.[2] Thus, the ability of a plaintiff to point to a specific CCPA provision prohibiting the very conduct being challenged under §17200 could greatly assist the plaintiff in clearing the gating hurdle of pleading a violation of §17200. Although plaintiffs' invocation of §17200 in this way is questionable given the express language of the CCPA, plaintiffs are bringing these claims and increasing the cost and risk of litigation, particularly if courts were to accept plaintiffs' view.[3]

How Can Companies Prepare for These Litigation Risks?

If businesses are thinking only about Attorney General enforcement actions and post-breach CCPA claims by consumers, they may be missing additional potential liability risk or at least the risk of expensive and time-consuming consumer class litigation. This litigation risk underscores the value of putting substantial effort into complying with the CCPA with the assistance of experienced counsel. The good news is that the same steps companies are already taking to reduce CCPA risk generally will help address this risk as well. For example, here are some steps that a company can take now to mitigate the risk of CCPA-related litigation:

• Consider arbitration agreements. If consumers agree to arbitration, including mandatory individual arbitration, a company can substantially limit its exposure to both direct class actions under the CCPA as well as other claims importing the law's substantive provisions.
• Assess opportunities to shift risk. By including indemnification provisions in contracts with vendors and service providers and by obtaining cyber insurance, a company can avoid at least some of the liability it might otherwise face in a lawsuit directly or indirectly based upon CCPA violations.
• Exercise caution in responding to consumer notices. Before bringing a suit under the CCPA, consumers must provide written notice and give the business a chance to respond in writing that the alleged violation has been cured. See Civ. Code §1798.150(b). While such a response would bar a direct action under the CCPA, written confirmation that a problem existed could be valuable ammunition for a plaintiff bringing a statewide or national negligence, contractual, or consumer protection action that would not be barred. Business should think carefully about what they are saying and how they are saying it to avoid making situations much worse for themselves with unintentional admissions or just too much detail.
• Exercise caution in responding notices from the Attorney General. As with consumer actions, a business may avoid an enforcement action by confirming in writing that alleged noncompliance has been cured. See Civ. Code §1798.155(b). But if the correspondence with the Attorney General is made public—as data breach notifications already are in California—the same risk of confirming past noncompliance to potential private plaintiffs would arise.

Endnotes:

[1] First and foremost, a plaintiff only has standing to pursue such a claim if he "has suffered an injury in fact and has lost money or property." See Cal. Bus. & Prof. Code §17204. The complaint in Burke parrots that language and Almeida claims "economic damages," but it will likely be the rare case in which a CCPA violation will cause a plaintiff an injury of this sort. Alleging a CCPA violation, moreover, may require significantly more than what was done in the cases filed to date. By its terms, for example, the CCPA provides that a business is only in violation of the CCPA if it fails to cure an alleged violation within 30 days of receiving notice of the purported noncompliance, Cal. Civ. Code §1798.155(b) – something that is not alleged in any cases discussed herein.

[2] The "unlawful" prong of §17200 permits a plaintiff to "borrow" the violation of another law to make a business act or practice subject to its provisions. See Cel-Tech Comm'ns v. L.A. Cellular Tel. Co., 20 Cal. 4th 163, 180. There is a three-way split in California courts' approaches to determining whether a practice is "unfair": (1) weighing unavoidable injury to the consumer versus countervailing benefits, (2) assessing whether an act "offends an established public policy" or is "immoral, unethical, oppressive, unscrupulous or substantially injurious to consumers," or (3) seeking a "tether[]" to a law that may not be violated in its letter but is in its spirit and the policy behind it. West v. JPMorgan Chase Bank, N.A., 214 Cal. App.4th 780, 806 (2013).

[3] Interestingly, no plaintiff has yet attempted to bring a negligence claim on a negligence per se theory based upon an alleged violation of the CCPA, using California Evidence Code §669 to establish the necessary standard of care and its breach. Such a claim would, however, face the same potentially fatal challenges as any other negligence claim in the data breach context as to the existence of a duty and the causation of injuries sufficient to sustain a negligence claim. See Kinney v. CSB Constr., 86 Cal. App. 4th 840 (2001) (noting that §669 applies as to the standard of care, but not the duty).

Doug Meal is a partner at Orrick, Herrington & Sutcliffe and head of the firm's cyber & privacy litigation and regulatory enforcement practice. Michelle Visser is a partner in the cyber practice. David Cohen is of counsel and Rebecca Harlow is an associate in the group.